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We present an experimental realization of a quantum digital signature protocol which, together with a standard 
quantum key distribution link, increases transmission distance to kilometre ranges, three orders of magnitude 
larger than in previous realizations. The bit-rate is also significantly increased compared with previous quantum 
signature demonstrations. This work illustrates that quantum digital signatures can be realized with optical 
components similar to those used for quantum key distribution, and could be implemented in existing optical 
fiber networks. 


I. INTRODUCTION 

Signature schemes are widely used in electronic communication to guarantee the authenticity and transferability of 
messages. Transferability means that a signed message is unlikely to be accepted by one recipient and, if forwarded, 
subsequently rejected by another recipient iQl]. This property distinguishes signature schemes from message authenti¬ 
cation schemes, in which there is no transferability requirement. Transferability is closely related to non-repudiation; 
message repudiation would mean that a sender can successfully deny having sent a message they really did send. The 
most widespread signature schemes are the public key protocols RSA DSA IH] and ECDSA |3l, in which security 
depends on the computational difficulty of factorising large numbers or finding discrete logarithms. Since the secu¬ 
rity of such schemes is not information-theoretic, but relies on computational assumptions, it can be retrospectively 
affected by future advances in technology or the discovery of efficient algorithms. In fact, all of the above schemes 
are known to be insecure against an adversary with a quantum computer J^]. 

The security of quantum digital signatures (QDS) IB. 01 > on the other hand, is information-theoretic, guaranteed 
by the laws of quantum mechanics to be secure against an adversary with infinite computational capabilities. This is 
a potentially significant advantage. There also exist unconditionally secure “classical” digital signature schemes fst]. 
In addition to requiring pairwise secret classical communication channels (which could be achieved using QKD), the 
scheme by Chaum and Roijakkers |0 requires an authenticated broadcast channel (a significantly more challenging 
prospect), and the one by Hanaoka et al. in is phrased in terms of a third party, trusted by all participants. Such 
assumptions are not straightforward and are not required in QDS protocols. Pairwise message authentication can 
be efficiently implemented with information-theoretic security using short pre-shared keys and is not equivalent 
with the stronger assumption of an authenticated broadcast channel. Eurther, information-theoretically secure secret 
classical channels can be generated using QKD. Therefore, even in terms of required resources, if the secret shared 
keys are generated using QKD, QDS schemes are no more demanding than the “classical” unconditionally secure 
signature schemes. 

Although QDS has been successfully realized in the lab between three parties, a sender Alice and two receivers 
Bob and Charlie CIB, the transmission distance for these realizations was limited to the order of meters. The 
earliest versions of QDS protocols |@, [12] also required long-term quantum memory |[l4l - [l2] to store the signature 
states at the receivers, making full implementation difficult with currently available technology. The requirement for 
quantum memory is removed if the recipients directly measure the quantum states sent by Alice, for example using 
unambiguous state elimination (USE) |[l2. [l2] . and then storing only the classical measurement outcomes Cl El. 
However, these QDS schemes still relied on a multiport to guarantee non-repudiation, comprising two intertwined 
interferometers controlled locally by Bob and Charlie. The multiport design required internal delays equal to the 
link length between Bob and Charlie, as well as introducing unavoidable additional high optical loss, restricting the 
practical transmission distance to approximately 5 m fl^fl^ . 
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II. DESCRIPTION OF METHOD 


For QDS to be useful in real world applications, protocols which allow for higher transmission rate and greater 
distance between parties must be developed and demonstrated experimentally. In this paper we present an experimental 
realization of a key part of such a protocol, along the lines of new QDS protocols in 112^ . The experimental system, 
outlined in Figure[T]and described in greater detail in the Appendix, uses similar optical components to those currently 
employed in phase-encoded QKD experiments ll2l1 - l^ . thus greatly improving the practicality of QDS. 

Signature protocols have two stages, a distribution stage and a messaging stage. The scheme is set up in the 
distribution stage, to enable signed messages to be sent and received in the messaging stage, which could occur at 
any future date. An outline of the protocol will be presented here with a more complete description in the Appendix. 
We will describe how to sign a 1-bit message m; longer messages may be sent by suitably iterating this procedure. 
In the distribution stage, Alice chooses two random sequences of L phase-encoded coherent states, one sequence for 
each possible message, 0 or 1. Increasing the length L of the sequence will increase the security of the scheme. The 
security also depends on other parameters, such as the mean photon number per pulse \a\^ and on imperfections in 
the setup 0. Alice chooses her quantum states randomly from a known alphabet of non-orthogonal quantum states, 
in our case the four phase-encoded states |a), and relative to a common phase reference. 

She keeps the complete classical description of the two sequences secret; this constitutes her “private key”. Non- 
orthogonal quantum states cannot be perfectly distinguished from each other, so only Alice can know her full private 
key. The phase reference pulse in our implementation is strong, so that tampering with it could in principle be detected 
by performing state tomography. 

Alice sends one copy of each sequence of coherent quantum states to both Bob and Charlie, throu gh sep arate 
quantum channels. Bob and Charlie measure the received coherent states, in our case using quantum USE loll^UCT . 
ruling out zero, one or more of the four possible phases for each position in each sequence of states. Bob and Charlie 
perform the measurements by combining the suitably adjusted reference pulses with the signal pulses using two beam 
splitters, one for each non-orthogonal phase pair in the four-state alphabet. Each detection event eliminates one of 
the four possible states sent by Alice. In Figure [T] the phase of the reference state entering beam splitter 2 at Bob is 
set so that he can eliminate the 0 and n phases, and the phase at beam splitter 3 is set to eliminate the n/2 and 3n/2 
phases. From the detection statistics, one can calculate the conditional probabilities for Bob to eliminate each of the 
four states, given that Alice sent a particular state. An example of this so-called cost matrix is illustrated in Figure|2a) 
for |ap = 0.5. 

Bob and Charlie now each have a measurement record for the sequences sent by Alice. They then both randomly 
and independently choose half of their measurement outcomes to forward to the other recipient. They keep secret 
from Alice which measurement outcomes are forwarded and which are kept. This last step is not implemented in our 
present setup, but could be achieved using a standard QKD link. Employing a standard QKD link does not have an 
impact on the maximum transmission distance or security level of the system and does not add further complications 
in the security analysis. This is because it is only used to secure the classical processing after the coherent states 
have been transmitted and measured. The random forwarding procedure replaces the symmetrising multiport in earlier 
implementations and ensures that Bob and Charlie obtain the same measurement statistics irrespective of what states 
Alice sends them. This is true even for the most general cheating strategies by Alice, which could involve entangled 
states. A dishonest Alice could attempt repudiation, that is, deny having sent a message that she actually did send. If 
the whole signature scheme is to have information-theoretic security, then a secret classical communication channel 
with information-theoretic security is needed for forwarding the measurement results, since otherwise security against 
repudiation would not be information-theoretic. At the end of the distribution stage. Bob and Charlie should each be 
left with different and incomplete descriptions of the signature sent by Alice, which are kept until the messaging stage. 

In the messaging stage, Alice chooses a message m and sends it together with her corresponding private key, that 
is, the classical description of the corresponding sequence of quantum states, to the intended recipient, say Bob. All 
communication during the messaging stage takes place over pairwise authenticated classical communication channels; 
quantum communication is needed only in the distribution stage. To accept the message. Bob checks Alice’s private 
key against his measurement record for the message m. He accepts the message if he finds fewer than Lsa mismatches, 
where Sa is an authentication threshold and L is the length of the sequences chosen by Alice. 

If Bob wishes to forward the message, he sends the message together with Alice’s private key to Charlie. Charlie 
then checks for mismatches in the same way as before, but applies a different verification threshold Sy, which is larger 
than Sa- The message is only accepted if there are fewer than Lsy mismatches. It is important that the threshold for 
accepting a message directly from Alice is different from the threshold for accepting a forwarded message. Otherwise 
Alice could repudiate with high probability |@]. Signing a message uses up the distributed signatures, which cannot be 
reused. 

Here, as for all existing QDS protocols, we assume that none of the participants are tampering with or eavesdropping 
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FIG. 1: (Color online). Experimental setup for kilometer-range quantum digital signatures. Alice uses a pulsed 850 nm wavelength 
vertical cavity surface emitting laser (VCSEL) diode to generate coherent states. She encodes her phase shift hy using a lithium 
niobate (LiNb 03 ) phase modulator, choosing randomly between the four possible phases. Alice sends the coherent states through 
standard telecommunications optical fiber to the receivers, who then measure the received coherent states. Sender and receivers are 
constructed from 4.4 pm core diameter polarization-maintaining optical fiber to improve the interferometric visibility. Polarization 
routing of modulated signal and unmodulated reference was carried out using polarization dependent beam splitters (PBS), and 
static polarization controllers (SPCs) were used to correct for polarization shift induced by birefringence in the telecommunications 
hber. 


on the quantum channels between other participants. It is expected this assumption could be removed by using a 
parameter estimation procedure analogous to that used in QKD ll^ . By declaring (sacrificing) some of the states 
sent during the distribution stage, participants should be able to estimate the level of eavesdropping, aborting if it is 
too high. When considering security against forging by either Bob or Charlie, one assumes that the other recipient 
and Alice are honest, since no protocol can guarantee security if two of the three parties are dishonest and collude. 
Similarly, when considering security against repudiation by Alice, one assumes that Bob and Charlie are honest. 

All pairwise classical communication in the present protocol, just as for QKD, must be authenticated. Pairwise 
message authentication can in modern cryptography be efficiently implemented using “short” pre-shared keys llH. It 
is not, even in principle, possible to prevent man-in-the-middle-attacks in QKD or QDS schemes unless there has been 
some prior interaction between parties. If information-theoretic security is required, one needs to use an appropriate 
authentication scheme for all classical communication j^ . The security analysis for the QDS protocol implemented 
here proceeds much as in Collins et al. ifT^ and is detailed in the Appendix. 


III. EXPERIMENTAL RESULTS 

In Figure 12] we plot experimental data and parameters for a range of mean photon numbers |ap sent by Alice. 
When |ap increases, the probability that a forger will be able to select the correct declaration increases, but likewise 
does an honest recipient’s ability to detect mismatches in a fake declaration. It is therefore highly non-trivial to 
determine the optimal value of |ap. The gap, g, between the probability for a forger’s fake declaration to be rejected 
and the probability for Alice’s true declaration to be rejected, i.e. g = C,„,„ — Ph (see the Appendix), depends on |ap 
and we choose the optimal value of |a|^ that maximises g. Other experimental parameters such as system loss and 
interferometric visibility are also taken into account in the cost matrices that are used to obtain C,nm and thus the gap 
g. It can be seen from Figure|2]c) that maximum gap occurs around |ap = 0.4 for transmission distances of 500 m, 
1000 m and 2000 m, showing that this value of |ap is the best choice for the sender in this particular experimental 
implementation. 

For the desired security level, the length required to sign one half-bit can then be calculated using 
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FIG. 2: (Color online). Experimental results and calculated parameters for one of the recipients, Bob. In our experiment, measure¬ 
ment statistics for Bob and Charlie was very similar, a) Conditional probabilities for unambiguous state elimination by Bob, with 
|o£p = 0.5. These probabilities are used to calculate the gap g and the required signature length per half-bit. b) the time required for 
Alice to send a half-bit to Bob. c) The gap achieved in the experiments is a calculated from a combination of information from both 
receivers’ cost matrices, d) The length L required to prevent forging and repudiation, per half-bit of message, for a security level of 
0.01%. For all sub-figures at 500 m, mean photon number points of 0.1, 0.9 and 1 have been removed. Here, the combination of 
count rate and the dead time of the detector led to non-linearity in the detection. 


^(protocol failure) = ^ (see the Appendix). In this paper, we have used a security level of 0.01%. The 

resulting signature length for each half-bit is graphed in Figure|2d) for varying |ap. As |ap increases, the length per 
half-bit dips to a minimum and increases again. For our experimental data, the maximum value for the gap and the 
minimum values for the length are around \a\^ = 0.4. 

To further illustrate the measurements by the recipients, experimental success rates are shown in Figure [3] A 
successful USE measurement means eliminating any state except the state Alice sent. On average, the USE success 
rate is 80% of the raw count rate. Only a single detection event is required to eliminate a state, and therefore the 
success rate is higher than for unambiguous state discrimination (USD), where one has to eliminate all possible states 
except the one sent. The success rate for USD is typically many orders of magnitude lower than the time-gated detector 
count rate Q. The failure rate of USE (eliminating the state that was actually sent) depends on the visibility of the 
interferometers formed by Alice’s state preparation and the receiver’s detection setup. In the security proof we assume 
that Alice has full control over the failure rate and so can generate any number of mismatches she likes. For these 
experiments, the USE failure rate was on average 1.7% of the pulse repetition rate. Knowing Alice’s repetition rate 
and the signature length L required to sign a half-bit message allows us to calculate the time it would take for Alice to 
send one half-bit using the current system. 


IV. DISCUSSION 

In a previous QDS experiment using quantum state elimination and a mulitport ifT^ . with a transmission distance 
of 5 m, the largest gap was found to be 1.20 x 10^®, which occurred for |ap = 1. The USE success rate was 2 x 10^ 
counts per second. For a security level of 0.01%, the length L required to securely sign a half-bit was found to be 
5.0 X 10*^, and the estimated time it would take to securely sign a half-bit was over eight years. In contrast, for the 
present setup and a transmission distance of 500 m, the maximum gap, g = 2.86 x lO^"*^, occurs at a |ap = 0.5, with a 
USE success rate of 2.48 x 10® . This gap is two orders of magnitude greater than for the previous short-range system. 
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FIG. 3: (Color online). Unambiguous state elimination (USE) success rate at different transmission distances for Bob. Results for 
Bob and Charlie are again very similar so only results for Bob are shown. The failure rate of USE is on average only 1.7% of the 
pulse-repetition frequency and is not plotted. Eor transmission distance 500 m, points for mean photon number 0.1, 0.9 and 1 have 
been removed, since here, the combination of count rate and the dead time of the detector led to non-linearity in the detection of 
events. 


The length L per half-bit for this new realization is 1.93 x 10® for a security level of 0.01%, and the estimated time it 
would take to securely sign a half-bit is less than 20 seconds. As the transmission distance increases, the time taken to 
sign one half-bit naturally increases, but even at 2000 m the time taken to sign one half-bit is four orders of magnitude 
smaller than in the previous experimental demonstrations of QDS. 

The system reported in this letter operates over relatively short distances when compared to the current maximum 
transmission distances achieved for QKD experiments 11^ (Quite apart from the increased losses of 2.2 dbkm"^ ex¬ 
perienced in the standard telecommunications hbre quantum channel at the wavelength of 850 nm selected for these 
experiments as opposed to 0.2 dbkm"^ at the wavelength of 1550 nm typically used in the QKD experiments, this 
letter reports a QDS protocol and it is to previous experimental QDS systems that it must be compared. In particular, 
because of differences in the security analysis, one would not expect, a-priori, that the exact same physical implemen¬ 
tation leads to comparable distances of QKD and QDS protocols. 

Although the new protocol demonstrated in this paper shows a signihcant enhancement in transmission distance and 
message signing rate compared with previous QDS demonstrations, further improvements in signature transmission 
rate, in particular, will be necessary to fully exploit the potential of QDS. The largest scope for improvement seems 
to lie in having Alice send different sequences of states to Bob and Charlie. This reduces each participant’s ability to 
forge, while retaining security against repudiation due to the exchange of measurement outcomes performed by Bob 
and Charlie ll^ . 

The recently proposed signature protocol “P2” in uses standard QKD systems to hrst generate pairwise shared 
keys between all parties. The secret keys are then used to sign messages. Currently, such schemes seem more efficient 
than any proposed quantum protocol that directly signs a message without hrst distilling a secret key. Nevertheless, 
“direct” quantum signature protocols, such as the one discussed in this paper, are still worth investigating, as they may 
eventually prove better than signature protocols based on secret shared keys. For example, direct quantum protocols 
can remain secure even if the available quantum channels are too noisy for practical QKD The most efficient 
direct quantum protocol should intuitively be at least as efficient as protocols proceeding via hrst distilling shared secret 
keys, and then using the shared keys to sign messages. There could also be other advantages with direct quantum 
protocols. If quantum channels of sufficiently high quality are available, then direct quantum signature protocols 
should need quantum channels only between the sender and each recipient, as opposed to QKD links between each 
party for protocols similar to P2. This means that the number of quantum channels scales only linearly with the number 
of recipients for direct quantum signature schemes, as opposed to quadratically for schemes similar to P2. Compared 
with work on QKD, very little work has been done on QDS schemes. This is surprising, given the wide usage and 


5 





Experimental demonstration of kilometer-range quantum digital signatures 


importance of signature schemes in modern communication. We are confident that demonstrating kilometer-range 
quantum signature schemes, using the same technical components as QKD, will stimulate wider interest in developing 
the next generation of quantum signature protocols for real-world optical networks. 
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APPENDIX 

I. PROTOCOL 


The protocol presented in this paper is similar to PI’ from reference ll20l] . but with two important differences. First, 
we require Bob and Charlie to record whether each measurement outcome they hold came directly from Alice or 
whether it was forwarded to them by the other recipient. Second, the experiment uses weak coherent states instead 
of true single-photon states. This means that the security proofs presented for protocol PI’ do not apply, and instead 
we follow the methods applied in ifT^ for security against individual and collective forging attacks. The protocol is as 
follows: 


A. Distribution Stage 


1. For each future one-bit message k = 0,1, Alice generates two copies of sequences of coherent states, 
QuantSigk = < 8*^=1 pf where pf = \b^ia){b\a\, a is a real positive amplitude, b\ G { 1 , 1 , — 1 , — 1 } are randomly 
chosen and L is a suitably chosen integer (the signature length). The state QuantSigk and the sequence of 
numbers PrivKeyt = {b\, ■■■,b^i) are called the quantum signature and the private key, respectively, for message 
k. 


2. Alice sends one copy of QuantSigk to Bob and one to Charlie, for each possible message k = 0 and k = 1. 


3. Bob and Charlie measure each state received using quantum unambiguous state elimination (USE) for 
{|a), ji'a), I — a), | — /a)}. For every element of each quantum signature (for k = 0, 1), they store which de¬ 
tectors detected photons; each detector rules out one possible phase state. They therefore store sets of six 


numbers (hexaplets) of the form {k, l',aQ , ct\ 2 ,a 


k/ k,l' k/ k,l' 


}, where 1 <l' <L and a^^ € {0,1}. Here, a^’‘ = 0 


k/ 


k/ 


means that no photons were detected at the detector (that is, the phase 0 is not ruled out), while = 1 
means that there was at least one photon detected at the detector (that is, the phase 0 is ruled out for this 
element). By -i0 detector we symbolise the “not 0” detector. Note that, due to losses, many of the hexaplets 
will have = 0 for all 0 . 


4. Once all states have been received and all hexaplets recorded. Bob and Charlie each independently choose half 
(L/2) of their hexaplets and send them to the other participant. To do this, they use a secret classical channel so 
that Alice has no information regarding which participant holds which hexaplet. Bob and Charlie keep a record 
of whether a particular hexaplet came from Alice or whether it was forwarded by the other recipient. 


B. Messaging Stage 

1. To send a signed one-bit message m, Alice sends {m,PrivKeym) to the desired recipient (say Bob). 

2 . Bob checks whether {m,PrivKey,n) matches both of his stored sequences - the one he received directly from 
Alice, and the one he received from Charlie. In particular, he counts the number of elements of PrivKey,„ which 
disagree with his stored hexaplets. Therefore, for a given element / of the signature, if Alice’s declaration was 
0, Bob needs to check if is 0 or 1. If = 1, he registers one mismatch. In other words, a mismatch is 
registered whenever Alice’s declaration for a given element has been eliminated by Bob’s USE measurement. 
Bob checks, for each of his stored sequences, whether the number of mismatches is below SaLjl, where Sa is 
an authentication threshold. Bob accepts the message only if both of his sequences have fewer than SaLjl 
mismatches, i.e. both the sequence received directly from Alice, and the sequence received from Charlie. 

3. To forward the message to Charlie, Bob forwards to Charlie the pair {m,PrivKeym) he received from Alice. 
Charlie tests for mismatches similarly to Bob, but to protect against repudiation by Alice, he uses a different 
threshold. For each of his sequences - the one received directly from Alice and the one received from Bob - 
Charlie checks if the number of mismatches is below s^Lj!, where s^ is the verification threshold, with Sa < s^. 
Charlie accepts the message only if both of his sequences have fewer than SvL/2 mismatches. 
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II. SECURITY 


The quantum signature protocol is designed to be secure against two types of dishonesty: forging and repudiation. 
Security against forging requires that any participant receiving a message will, with high probability, reject a message 
that did not originate with Alice. Security against repudiation requires that, with high probability, Alice cannot make 
Bob and Charlie disagree on the validity of her message, i.e. she cannot make one participant accept and the other 
reject her message. In this section we will show that the probabilities of forging and repudiation decay exponentially in 
the signature length, L. Further, we will show that the protocol is robust, i.e. if all participants are honest, the protocol 
works and does not abort, except with a probability exponentially small in L. 

For forging one can distinguish different types of malicious attacks. In individual attacks, the cheating party employs 
a strategy separately and independently for each signature element. In collective attacks, there may be classical 
correlations between strategies for different signature elements. Coherent attacks are the most general type; here a 
cheating party can employ any type of correlations, including entanglement and measurements in an entangled basis. 
Note that the same distinctions apply in principle to repudiation attempts from Alice. However, when proving security 
against repudiation we will assume that Alice can exactly control the number of mismatches her signature generates 
with Bob’s and Charlie’s measurement outcomes. This covers all types of attack from Alice and so the distinction 
between individual, collective and coherent attacks is not made. Security is proven for all types of repudiation attacks, 
and all types of forging except coherent forging attacks. We will treat individual forging attacks in detail. Security 
against collective forging attacks then follows because the optimal collective forging strategy is actually an individual 
strategy, as argued in fo . 


A. Model Assumptions 

Here, as in all previous QDS protocols, we assume that the quantum channels between participants do not allow 
tampering or eavesdropping from a third party. It is expected that this assumption could be removed by using a 
parameter estimation procedure analogous to that used in QKD J^. By sacrificing part of the states sent during the 
distribution stage, participants should be able to estimate the level of tampering and eavesdropping. 

All pairwise classical communication in the present protocol, just as for QKD, must be authenticated. Pairwise 
message authentication can be efficiently implemented with information-theoretic security using short pre-shared keys 
d. Without this authentication, it is not possible, even in principle, to prevent “man-in-the-middle” attacks in QKD 
or QDS schemes . Thus neither QKD nor QDS can be implemented without some prior interaction between parties. 
It is important to note that pairwise authentication between parties is far simpler to achieve than an authenticated 
broadcast channel. 


B. Security Against Repudiation 

To repudiate, Alice aims to send a declaration {m,Sigm) which Bob will accept and which Charlie will reject. To 
do this. Bob must accept both the elements that Alice sent directly to him, and the elements that Charlie forwarded to 
him. In order for Charlie to reject he need only reject either the elements he received from Alice, or the elements Bob 
forwarded to him. Intuitively, security against repudiation follows because of the symmetrisation of measurement out¬ 
comes performed by Bob and Charlie using the secret classical channel. Bob and Charlie perform USE measurements 
on each of the states sent to them by Alice so that they hold the L hexaplets {bi,...,bL) and {ci,...,cl) respectively. 
We give Alice full powers and assume that later on, in the messaging stage, she is able to fully control the number 
of mismatches her signature declaration, PrivKey,n, contains with the hexaplets {bi,...,bL) and (ci,...,cl). Call the 
mismatch rates eg and ec respectively. The symmetrisation process means that Bob and Charlie will randomly (and 
unknown to Alice) receive L/2 of the others’ hexaplets. We show that all choices of es and ec lead to an exponentially 
decaying probability of repudiation. 

Suppose Alice chooses ec> sa- In this case. Bob is selecting (without replacement) L/2 elements from the set 
{ci,..., Ci}, which contains exactly ecP mismatches with Alice’s declaration. The number of mismatches Bob selects 
then follows a hypergeometric distribution//(L,ecL,L/2) with expected value ecLjl. For the message to be accepted. 
Bob must select fewer than SaLjl errors. The tails of a hypergeometric distribution can be bound, using ll^ . to give 
an inequality with the same form as a Hoeffding Inequality. We bound the probability that Bob selects fewer than 
SaL/2 mismatches as 

P(Bob receives fewer than SaL/2mismatches from Charlie) < exp(—(e^ — Sa^L). 
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To repudiate, Alice must make Bob accept the message, which means that Bob must accept both the part received from 
Alice and the part received from Charlie. Since P(A flB) < min{P(A),P(B)}, the probability of repudiation must be 
less than or equal to the above expression, and so must also decrease exponentially. 

Now suppose ec < ««. In this case, if es > Sa the above argument shows that it is highly likely that Bob will reject 
the message, so we consider only the case where < Sa- Consider first the set {b\, ...,bL}. We can use the same 
arguments as above to bound the probability of selecting more than SvL/2 mismatches as 

P(Charlie selects more than i,,L/2mismatches from Bob) < exp(—(iy — eB)^L). 

For Alice to successfully repudiate, Charlie must select more than SyL/2 mismatches from either the set {bi,...,bi} or 
the set {ci, ...,cl}. Using P(A UB) < P(A) -|-P(B), we can see that, for the choice of eB,ec ^ Ai, we have 

P(Charlie selects more than s,,L/2 mismatches) < 2exp(—(s,, — Sa)^L). 


So again, the probability of Alice successfully repudiating decreases exponentially in the size of the signature. Similar 
to Alice’s best strategy would be to pick es = ec = j {sv + Sa), in which case 


P(Repudiation) < 2 exp 



( 1 ) 


C. Security Against Individual and Collective Forging 


In order to forge. Bob must make a declaration with fewer than s,,L/2 errors with the L/2 elements Charlie received 
directly from Alice. To bound the probability of Bob being able to make such a declaration, we will follow the cost 
matrix analysis performed in ifoll . For a given individual signature element, we define the cost matrix for Bob as 

a matrix where the rows correspond to which state Alice sent (|exp(/0)a)), while the columns correspond to the 

detectors D{^9). Each matrix element Cij can be taken equal to the probability that if the /’th state is sent, then 
Charlie’s /th detector clicks. This is because Bob should avoid declaring a phase that Charlie has eliminated. His 
cost for making a particular declaration will therefore be proportional to the probability that Charlie has ruled out this 
state. When |o:p = 0.4, and over a distance of 500m, the experiment gives us the cost matrix 

/8.41 X 10-^ 1.48x10-3 2.00x10-3 1.11 x 10-3\ 

1.15x10-3 6.31x10-3 1.22x 10-3 2.84x 10-3 
2.41 x 10-3 1.90x 10-3 1.53 xlO-'^ 1.30x10-3 ' 

\1.15 x 10-3 2.77 x 10-3 1.15 x 10-3 4.49 x 10-3/ 

From this matrix, we aim to find two important quantities. First, we want to find the honest cost, p/,, for Bob. This 
is the rate at which Charlie would find mismatches even if Bob acts honestly. This situation occurs when Charlie 
erroneously rules out the state that Alice actually sent. The experimentally found probability of this happening is 
given by the diagonal elements of C, and so the honest cost is simply the average of the diagonal elements, giving 
Ph = 8.61 X 10-3. This rate is important for two reasons: first, the parameter Sa must be set higher than p/, for the 
protocol to be robust (to avoid aborting due to noise in the honest run); second, to be secure against forging p/, must 

be smaller than the rate at which Charlie finds mismatches if Bob is dishonest, i.e. being dishonest must carry some 

positive cost for Bob. 

We now consider the case of a dishonest Bob who tries to guess Alice’s signature so that he can forge a message to 
Charlie. We consider only individual and collective forging attacks, where Bob acts on each quantum state individually, 
but the outcome of his measurement on one quantum state can affect his choice of measurement on the others. Security 
against coherent forging attempts remains an open question. We want to find C,„in, the minimum possible rate that Bob 
will declare single signature elements which have been eliminated by Charlie. To do this, we use the cost matrix C 
and note that Cmin is the minimum cost associated with the matrix C. Finding minimum costs involves finding optimal 
measurements, which is in general a difficult problem. However, we are able to bound C,nm following the method in 
lot]. To do this, we find the matrices C*, C' and C/ with 

/8.41 X 10-3 8.41 X 10-3 8.41 x 10-3 8.41 x 10-3\ 

h _ 6.31 X 10-3 6.31 X 10-3 6.31 x 10-3 6.31 x 10-3 

^ “ 1.53 xlO-'^ 1.53 xlO-'^ 1.53 xlO-'^ 1.53 xlO-'^ ' 

^4.49 X 10-3 4.49 x 10-3 4.49 x 10-3 4.49 x 10-3/ 
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This is a constant-row matrix made up of the diagonal elements of the matrix C. The minimum cost achievable for this 
matrix is the honest cost, /?/,. The matrix 


/ 0 1.40x10-3 

1.09x10-3 0 

2.26x 10-3 1.75 x 10-3 
\1.11 X 10-3 2.72 X 10-3 


1.92 x 10-3 1.02 x 10-3\ 
1.15 X 10-3 2.78 X 10-3 
0 1.15x10-3 

1.11x10-3 0 


is the difference between C and C^\ It represents the difference between an honest strategy and a dishonest strategy. 
The minimum cost for this matrix is the minimum additional cost suffered from acting dishonestly. It is difficult to 
find the minimum cost for this matrix, so instead we can bound it below by reducing all non-zero elements to the the 


smallest non-zero element, to get the matrix 





( ® 

1.02 X 10-3 

1.02 X 10-3 

1.02 X 10-3\ 


1.02 X 10-3 

0 

1.02 X 10-3 

1.02 X 10-3 

c = 

1.02 X 10-3 

1.02 X 10-3 

0 

1.02 X 10-3 


\imx 10-3 

1.02 X 10-3 

1.02 X 10-3 

0 / 


The matrix corresponds to a lower bound on the additional probability Bob has of causing a mismatch if he is 
dishonest, when compared to the honest case. For this reason we define the constant, non-zero element, as guad, the 
guaranteed advantage an honest strategy has over a dishonest strategy. Since Cfj + C^j < Cij, the minimum cost of 
-I- must be less than the minimum cost of C. The matrix is of error-type, so its minimum cost is proportional 
to pminioc), the minimum error probability, and can be achieved using a minimum-error measurement 111^ . Since the 
optimal measurement is known, in this case, to be the SRM, we can calculate pmm{<x) for all values of a from; 


Ai = 2 e-l“l ^cos -f cosh 

Xi = 2 e-l“l^ ^sin +sinh 

I 3 = 2 e-l“l^ ^cosh - cos 

A 4 = 2 e-l“l ^sinh — sin 


Pmin{(^) — 1 


1 

16 



2 


Defining the gap, g = pmin x guad, we know ph+g < Cmin- For the particular case of jap = 0.4, p^in = 0.317 and 
we get 

p/,-fg = 8.61 X 10-3-h (0.317 X 1.02 X 10-3) = 4.10 x lO-'* < 


This is our lower bound on Cmin and in what follows we conservatively assume Cmin = Ph + g- As long as we choose 
Sy < Cmin, we can use to obtain 

P(Forge) < exp(-(C,„m -(3) 

Note that for simplicity we have only considered the case of Bob attempting to forge. We should also consider 
the possibility of Charlie trying to forge. In this case, we would replace the cost matrix (l2]i with the corresponding 
experimentally generated cost matrix for Charlie. The analysis then follows exactly as above and we would arrive at 
another value of valid for when Charlie is the forger. For the protocol to be secure against both Bob and Charlie 
attempting to forge, we would choose Cm,■„ = inin{C®5)|’,C^|’“'“}. For our implementation, and so Cm,« 

remains as above. 


D. Robustness 

Suppose all parties are honest. Bob aborts if either the (1/2)L states received from Alice result in mismatch rate 
greater than Sa or the measurement results for the (1/2)L states received from Charlie give mismatch rate greater than 
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Sa- We suppose that the channel from Alice to Bob has an error rate of pf and the channel from Alice to Charlie has 
an error rate of p^. Then we have 

P(Abort due to Alice) < exp (—— pf^)^L) 

P(Abort due to Charlie) < exp (—— pf^)^L). 

If we set Pi, = max{pf^,pf^) then the probability of an honest abort is bounded by 

P(honest abort) < 2exp(—— Ph)^L)- (4) 


E. Signature Length 


Using the above analysis, we can calculate the length of the signature needed to securely sign a single-bit message. 
Following JTH], we assume that there is no reason in general to favour one type of security over another, so we pick 
parameters Sa and s,, so as to make the probabilities of honest abort, forgery and repudiation all equal. If all these 
probabilities are all below 0.01%, we say that the protocol is secure to a level of 0.01%. By setting 

Sa = Ph + .g/ 4 , Sy = ph + 3 g/ 4 , ( 5 ) 


the probabilities of repudiation, forging, and honest abort all become approximately equal. More explicitly, consider¬ 
ing the terms in the exponent of equations ([T]), Q, (Hll, we see they are equal when 


M2) „^2 ln(2) 

j — {S'min ^v) — \^a Ph) j ; 


( 6 ) 


where the pre-factors of 2 have been taken inside the exponential. As L increases, the choice of Sa and s,, satisfying (|6]l 
tends to those given in (|5]l. 

Determining the value of the coherent state amplitude, a, that leads to the smallest possible signature length is, in 
general, a difficult problem. Higher values of |a|^ lead to lower loss and a smaller bit error rate, but come at the cost 
of making the states {|o:), \ia), \ — Ct), | — ia)} more distinguishable for a potential forger. Thus we need to strike a 
balance between correctly transmitting the states, and giving power to a forger. In the previous QDS experiment ifisll . 
the magnitude of a was varied in increments of I between I and 10. In order to minimise the signature length, the 
magnitude of a is chosen so as to maximise the gap, g, defined above. It was found that \a\^ = I gave the largest 
gap for the range considered, and extrapolation of subsequent experimental data suggested that |ap Ri 0.5 would be 
optimal. In fact, we found in this experiment that the optimal value was around |o:p = 0.4, for which the corresponding 
Pniin value is 0.317. 

We now have everything in place to calculate the signature length, L, needed to securely sign a message for |o:p = 
0.4. Over a distance of 500m, experimental data gives the honest cost as p/, = max(p®,p^) = 1.26 x 10^^. Note that 
this differs from the value used in the analysis above because in fact Charlie’s cost matrix gave a higher honest cost 
than Bob’s. We also find C„„>, = = 4.10 x 10^"^, as above. This gives the gap, g = Cmin — Ph = 

2.84 X 10^^, from which we can find the parameters Sa,Sv using ©. Putting it all together, we find that a signature 
length of L = 1.96 x 10® is required to sign a message to a security level of 0.01%. 

Although this is a significant improvement over the last QDS experiment ifT^ . there are a number of ways to further 
improve the efficiency of the protocol. The simplest would be to increase the clock rate and therefore the transmission 
rate. This would not decrease the signature length, but would decrease the time needed to transmit a given signature 
length. The pulse rate used in this QDS system was 100MHz, and there is scope to increase this to >lGHz as is 
typically found in modern QKD systems Despite the clock rate increasing by a factor of 10, the increased 

effects of inter- and intra- symbol interference mean that the corresponding decrease in the signature time will not be 
as great as a a factor of 10. The exact improvement strongly depends on the characteristics of the employed coherent 
source, single-photon detectors and timing electronics. 

Another possible improvement would be to switch to an operational wavelength of 1550nm as in rather than 
the 850 nm used in this experiment. At 1550nm, we would expect to see losses of about 0.22 dB per kilometer, a 
significant improvement over the 2.2 dB per kilometer in the current setup. This switch in wavelengths would enable 
a new QDS experiment to be carried out over lO’s of kilometers with similar performance to our QDS system at short 
distances. A wavelength of 850nm was selected for these experiments as it provides a good compromise between 
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the detection efficiency response of the mature low-noise, lowing timing-jitter, high efficiency thick junction silicon 
single-photon avalanche diodes at room temperature and the attenuation profile of fused silica optical fibres. 

As the system used in these experiments is similar in layout to that used in a number of QKD experiments, we can 
make an approximate comparison of the performance of our QDS system with that of a state-of-the-art QKD system 
isll by examining the quantum bit error rate (QBER). Reducing the QBER would decrease the size of the diagonal 
elements in the cost matrix (|2]i. This would lead to a larger gap, g, and therefore a smaller signature. There is perhaps 
less scope for improvement in this respect since the current setup achieved a QBER of around 4% over the range 
of distances investigated, which is comparable to the QKD system in where the QBER at 50km was 3.85%. 
The differing achievable transmission distances between the work presented here and reference being due to the 
increased loss of the fused silica optical fibres for light with a wavelength of 850 nm. 


III. EXPERIMENTAL METHODS 

The experimental system shown in Eigure[T]of the main paper, shares many similarities with common phase-basis- 
set QKD experiments ll2ll - l^ [^ . The main components are similar to our previous unambiguous state elimina¬ 
tion (USE) QDS system, with the multiport removed ifT^ . The sender Alice and receivers Bob and Charlie are all 
constructed from 4.4pm core diameter “panda-eye” polarization maintaining fiber that can support two orthog¬ 
onal linear polarization modes. Alice generates 850.17nm wavelength coherent-state pulses at a repetition rate of 
100 MHz by means of an electrically gain-switched vertical cavity surface-emitting laser (VCSEL) and a motorised 
optical attenuator ifisll . A Lithium Niobate (LiNbOa) phase modulator is used to encode the phases on weak pulses; a 
strong reference pulse is delayed by half a period from the encoded states. The uncertainty in the phase encoding is 
±1 .6 X lO^^rad, primarily induced by amplitude jitter in the electrical driving signal. The signal and reference pulses 
have orthogonal linear polarizations and are efficiently recombined using a polarisation beam combiner (PBC) llj^ 
before transmission through the 9 pm core diameter optical fiber quantum channel. The quantum channel is composed 
of reels of Corning SME-28e optical fiber that were retained within the same laboratory as Alice, Bob and Char¬ 
lie. Short lengths of 4.4pm core diameter fiber are spliced onto the input and output of the quantum channel to 
eliminate higher order spatial modes 

Mechanical and thermal stresses induced on the quantum channel will result in a time-evolving birefringence in the 
quantum channel that serves to reduce the linearity of the polarizations as they propagate. Bob and Charlie employ 
paddle-type static polarisation controller (SPC) to apply an opposing birefringence over a short (sil m) length of 4.4pm 
core diameter fiber, returning the states to linear prior to the measurement step. This correction is applied manually 
once before a set of measurements are recorded and is monitored during operation, with realignment when necessary. 
Euture revisions of this system will employ automatic correction of polarization evolution by means of monitoring a 
fraction of the delayed bright reference pulse. 

A polarization beam-splitter in each receiver ensures that the weak signal pulse traverses the long path with the 
5 ns delay while the bright reference pulse traverses the short path. The polarization and intensity of the reference 
pulse are altered to match the signal pulse before the two pulses are recombined on a final 50:50 beam combiner (BC) 
where they interfere. USE ifl^ is used to eliminate some possible phases for the signal states ifT^ . Commercially 
available free-running Geiger-mode (photon-triggering) silicon single-photon avalanche diodes (Si-SPADs) 1142] 
are employed as detectors, because they have reasonable detection efficiency (Ri40%) for photons with a wavelength of 
850nm, a low dark count rate (siSOOHz) and a low afterpulsing probability (RiO.5%) when compared to semiconductor 
detectors used at the telecommunications wavelengths 1143114^ . Although superconducting detectors have exhibited 
detection efficiencies of 93% such devices typically must be cooled to temperatures around 4 K with cryogens 
or large closed cycle coolers 11 ^ du ring operation while semiconductor technologies usually operate at near room 
temperature with Peltier coolers 11^ 1^ . There have been recent advances in semiconductor single-photon detector 
technologies for wavelengths around 1550 nm ll44l] and it is likely that future QDS experiments over Corning SMP-28e 
optical fiber will employ these technologies to further enhance the transmission range. Detector trigger events are 
time-stamped with time interval resolution of 1 ps using commercially available electronics iH. Technical limitations 
of interfacing and computer control meant that the maximum event rate that could be recorded by the receivers was 
approximately 4MHz. The time-stamping electronics require a lOMHz reference signal that is provided by common 
rubidium clock that is shared between Alice and the receivers. 

The air-gaps in each receiver consist of an immobile launching collimating lens and a collection lens attached to a 
linear piezo-electric-actuator with a total travel of Ri 1.5 pm in steps of Ril5nm. The receivers adjust the relative lengths 
of their measurement setup to ensure optimum interferometric visibility (typically 93%). The receivers’ demodulation 
systems had a mean attenuation of 6.96 dB. 

Analysis of the raw time-stamp information is carried out by custom software written in MATLAB lld^ . The time- 


12 



Experimental demonstration of kilometer-range quantum digital signatures 


stamps are filtered to discard those that occur outside of a window of ±2 ns centred on the expected arrival time of a 
pulse a process that retains 80% on average of the raw counts. The non-gated counts are from background noise, dark 
counts and non-interfering pulses. The custom software examines the detector bring patterns to perform USE. The 
measurement records are then retained to allow for subsequent forwarding of measurement results from Bob to Charlie 
and vice versa. This step needs to be done in secret from Alice, and could thus be accomplished using a standard QKD 
link between Bob and Charlie; this was however not implemented in the current setup. 
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